Privacy Policy

ZapMatch Malaysia operates the ZapMatch platform at zapmatch.com.my. We are the data controller for personal data collected through this platform. Contact us at support@zapmatch.com.my.

Agent account data: Full name, email address, WhatsApp phone number, REN/REA number, agency name.

Signal data: Buyer and tenant requirement details (property type, area, budget, financing status). Raw WhatsApp messages you paste are processed by AI and then deleted from storage after 30 days.

Activity data: Signals posted, matches viewed, contacts unlocked, WhatsApp links opened, last seen timestamp.

Payment data: Handled by Stripe. We store only your Stripe customer ID, subscription status, and credit balance — not card numbers.

Device data: Browser type, IP address (for rate limiting and fraud detection), push notification device token.

• Buyer or tenant IC numbers, salary, or bank details — these are stripped from signals before storage
• Property transaction values or agent commissions
• Location data beyond the territory/state you self-declare

To operate the platform: Matching signals to agents in relevant territories, facilitating co-broke introductions, processing payments.

To improve the platform: Aggregate analytics on signal types, match rates, and territory activity (never linked to individual buyers).

To communicate with you: Notifications about matches, signal expiry, account status, and platform updates. You can control notification preferences in your settings.

For trust and safety: Detecting fraudulent signals, verifying REN numbers, calculating trust scores.

Buyer requirement data (WTB/WTR signals) is shared only with verified REN agents who have relevant territory coverage. Buyer WhatsApp numbers are only revealed to listing agents who unlock the contact — they are never displayed publicly on the platform or on agent profiles.

If you are a buyer or tenant whose agent posted your requirements on ZapMatch, you may contact us at support@zapmatch.com.my to request deletion of your data.

We share personal data with:

• Supabase — database and authentication (servers in Singapore)
• Anthropic — AI parsing of signal text (processed in transit; Anthropic does not train on API inputs by default)
• Stripe — payment processing (Malaysia-compliant)
• Resend — transactional email delivery
• OneSignal — push notification delivery
• Twilio — WhatsApp OTP verification
• Vercel — platform hosting (servers in Singapore/Asia-Pacific)

We do not sell your personal data to third parties.

Agent account data is retained until you delete your account. Signal raw text is deleted after 30 days (PII protection). Match records are retained for 12 months for audit purposes. Stripe payment records are retained per Stripe's data retention policy (7 years for compliance).

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate data via your profile settings
• Delete your account and associated data (contact us)
• Opt out of marketing emails via notification settings
• Data portability — request an export of your signal and match history

To exercise these rights, email support@zapmatch.com.my.

We use only essential cookies for authentication (session tokens managed by Supabase). We do not use third-party tracking cookies or advertising cookies.

We use HTTPS for all data in transit, row-level security (RLS) in our database so agents can only access their own data, and AES-256 encryption at rest via Supabase. Despite these measures, no system is completely secure — please report any security concerns to support@zapmatch.com.my.

We will notify you of material changes by email at least 14 days before they take effect. The effective date at the top of this page reflects the latest version.